EFFICIENT LINEAR FEEDBACK SHIFT REGISTERS 
WITH MAXIMAL PERIOD 



BOAZ TSABAN AND UZI VISHNE 

Abstract. We introduce and analyze an efficient family of linear 
feedback shift registers (LFSR's) with maximal period. This family 
is word-oriented and is suitable for implementation in software, 
thus provides a solution to a recent challenge 8 . The classical 
theory of LFSR's is extended to provide efficient algorithms for 
generation of irreducible and primitive LFSR's of this new type. 



1. Linear feedback shift registers 

Linear feedback shift registers (LFSR^s) are fundamental primitives 
in the theory and practice of pseudorandom number generation and 
coding theory (see, e.g., P, [Sj, [Hj, [Z|, and references therein). 

Figure Q describes a typical LFSR over the two-element field F2 = 
{0, 1}, where each step consists of adding some of the state bits (we 
follow the convention that the elements of F2 are called bits), and the 
result is inserted to the register in a FIFO manner. 
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Figure 1. A typical LFSR. 

Such a construction is slow in the sense that it produces only one 
new bit per step. Moreover, it is difficult to implement in software, 
since many bit manipulations are required. In certain cases (but not 
always [IDI), it is possible to use LFSR's with only two feedback taps. 
This makes a slightly faster LFSR. (See also Section [7|) 

In the 1994 conference on fast software encryption, a challenge was 
set forth to design LFSR's which exploit the parallelism offered by the 
word oriented operations of modern processors [8, §2.2]. In this paper 
we suggest a solution and study its properties. 
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2. Linear transformation shift registers 

Fix an arbitrary finite field F. A sequence a = (s„)^q of elements 
from F is linear recurring with characteristic polynomial 

/(A) = ao + aiA + ■ ■ ■ + adX'^ G F[x] 

if ad = 1, and 

aoSn + aiSn+i H h adSn+d = 

for all n = 0,1,2,.... The minimal polynomial of a linear recurring 
sequence a is the characteristic polynomial of a of least degree. Let 
cr be a nonzero linear recurring sequence with an irreducible charac- 
teristic polynomial /(A). It is well known (cf. [2]) that the period 
of a is equal to the order of A in the multiplicative group of the 
field K = F[X]/ (/(A)). If A generates the whole group, we say that 
/(A) is primitive. (In this case a has the maximal possible period 
li^'l — 1 = IFI'^ — 1 where d = deg/(A).) Likewise, for any natural 
number d, if T is a linear transformation of F'^ and v & F'^ is nonzero, 
then the sequence (T"(f))^Q of vectors in F'^ has period 1^1*^ — 1 if 
and only if the characteristic polynomial of the linear transformation 
T is primitive over -F[A]. If this is the case we say that T is primitive. 

We now introduce the family of linear transformation shift registers 
(TSR's). For convenience of presentation, we pack m ■ n-dimensional 
vectors in an array (fo, . . . , fn-i) of n vectors in (n and m will be 
fixed throughout the paper). In the intended application, F = ¥2 and 
m is the number of bits in the processor's word. Typical values of m 
are 8, 16, 24, 32, and 64. This way, the array {vq, . . . , f„_i) is stored in 
n processor words. Following this interpretation, elements of will 
be called words. 

Definition 2.1. Let T be a linear transformation of F™, and let 

S = (ao, . . . , ctn-i) G F'"'- A TSR step (T, S) of the array R = 
(fo, . . . ,fn-i) £ MrnxniF") IS the linear transformation 

(T, S) (R) := {vi, V2,..., Vn-i, T{aoVo + aiVi H h 

The system (T, S, R) is called a TSR. 

Figure |21 illustrates a typical example of a TSR. An obvious advan- 
tage over the standard LFSR is that here a whole new word (rather 
than a single bit) is produced per step. 

Linear transformations on processor words can be performed very 
efficiently, either using lookup tables, or by using specific linear trans- 
formations which are efficient when working on processor words, e.g. 
Galois-type shift registers. The latter example has the advantage that 
no additional memory is required (see, e.g., [3 pp. 378-379]). Note 
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Figure 2. A typical TSR. 



further that choosing each of the a^'s to be either or 1 ehminates the 
complexity of the multiplications aiVi. One cannot, however, eliminate 
the complexity of the transformation T as well by using the identity 
transformation T = I: In this case the period cannot be greater than 
— 1, whereas in principle, memory of n words can yield period 

Simulations show that there exist choices for T and S such that the 
resulted TSR step is primitive, and thus yields a sequence of vectors 
with period 2"*" — 1. In the following sections wc provide necessary 
conditions on T and S in order that the resulted TSR step is primitive. 
Choosing T and S to satisfy these conditions increases the probability 
that the resulted TSR is primitive with respect to random choice of 
these parameters. Thus, we will get an efficient algorithm for genera- 
tion of primitive TSR's. 

3. The characteristic polynomial of a TSR 

Identify the linear transformation T operating on words with the 
matrix T e Mm(F) such that T • v = T{v), v e F"". 

Let / denote the mxm unit matrix. A TSR step {T, S = {ao, . . . , a„_i)) 
of the array R = {vo, . . . , Vn-i) € (F'")"' is equivalent to multiplication 
of (vo, . . . , Vn-iY from the left by the block matrix [(T, S)] G M„^(F), 
where 

/ / ••• \ 

[{T,S)]= : -.. -.. 

/ 

\ aoT aiT ■ ■ ■ a„_2T a„_iT / 

Let /5(A) = ao + aiX + • • • + On-iA""^ (so that the characteristic 
polynomial of [(T, S)] in the case m — 1 and T — (1) is A" — /5(A)), 
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and let /t(A) = |A/ — T| denote the characteristic polynomial of T 
(note that the degree of /t(A) is m.) 

Proposition 3.1. Let T be a linear transformation of F"^, and S — 
(oo, . . . , Qn-i) £ F'^- Then the characteristic polynomial of the TSR 
step {T, S) is 

fiT,s)W = fs{xr-fT(^-^y 

Proof. We multiply each row block by A, and add the result to the next 
one. Then we use the — / blocks to cancel the terms in the first column 
block. 



\XI-{T,S) 



XI -I 




—aoT —aiT ■ ■ ■ 

XI -I 

X^I 

A"-^/ 

—a^T —aiT ■ ■ ■ 









••• 




A7 -I 

■ ■ -an-2T XI - Qn-lT 





••0 -/ 

~o-n-2T XI — a^-iT 

-I 







-/ 

A"/ - fsiX)T -aiT ■ ■ ■ -an-2T XI - a„_iT 

X^I-fs{X)T -aiT ■■■ -an-2T A/ - a„_iT 



^ j^^m(n— 1) 







-I 








fsixy 



/5(A) 



I -T 



fsixr ■ fT 



A'* 
^(A) 



□ 
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A naive algorithm for generation of a TSR with maximal period 
would be to choose the linear transformation T and the set S at ran- 
dom, calculate the characteristic polynomial f{T,s)W using Proposition 
13.11 and then check whether it is primitive, repeating this process until 
a primitive polynomial is found. In most of the cases, the polynomial 
will not be primitive for the reason that it is not even irreducible. The 
following corollary shows that much unnecessary work can be avoided. 

Corollary 3.2. ///t'(A) is reducible over F, then so is f{T,s){^)- 
Proof. Suppose /t(A) = qi{X)q2W is a nontrivial factorization of /t(A) 
over F, rrii = deggj(A). Then fs{^)^'<li ( tttt ) polynomials, and 



/(T,.)(A) = [fs{\rqi {-^)) ■ {fsiXrqi (t^)) is a nontrivial 



Remark 3.3. In general, the probability that a monic polynomial of 
degree m chosen at random is irreducible is close to 1/m. Thus, by 
Corollarv l3.21 the probability that /(t,5)(A) is irreducible provided that 
/t(A) is irreducible should be about m times larger than the probability 
when /t(A) is arbitrary. 



The algorithm stated in the previous section considered polynomials 
of a special form as candidates to be primitive. In this section we study 
polynomials of this form, with the aim of improving the algorithm. 



Let F be a fixed finite field. Let g(A) = qo + qiX-\ hg-mA"" G F[X]. 

We write pg(A) {x, y) for the homogeneous polynomial 



We wish to find necessary conditions for polynomials of the form pg(A)(5'(A), /(A)) 
to be irreducible. Clearly, if g{\), /(A) G F[A] are not relatively prime, 
then the polynomial pq(A)(5'(A), /(A)) is reducible. Also, by Corollary 
13.21 if g(A) is reducible, then so is pg(A)(5'(A), /(A)). We are thus inter- 
ested in the following type of polynomials. 

Definition 4.1. We say that a polynomial 



factorization. 



□ 



4. Irreducibility through extension fields 



x"^ ■ q{y/x) = qox"' + gix" + ■ ■ ■ + q^y 




is a candidate if: 
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Theorem 4.2. Assume that Q{\) = pg(^x){gW, fW) is a candidate, 
and let a be a root of q{X) in the splitting field L of q{X). Then the 
number of distinct irreducible factors of Q{X) over F is equal to the 
number of distinct irreducible factors of /(A) — ag{X) over L. 

Proof. Denote by ai, ■ ■ ■ , am G L the (distinct) roots of g(A) in L, so 
that q{X) has the form Hi^il-^ ~ ^i)- have that over L, 



(1) 



Q(A) = g{Xr ■ q = n (/(A) - c.^9W)■ 



We can extend the standard norm map L F to a norm N^jp : 
L[X] ^ F[X] by NL,F{h{X)) = n.eGa^(L/F) ^(^(A)), where a(A) = A 
for all a G Gal{L/ F). Fix any a G {ai, . . . , Using this notation, 
Equation ^ is 

Q{X)=NL/F{fiX)-agiX)). 
We will use the following lemma. 

Lemma 4.3. Let the field L be an extension of F . Assume thatr{X) G 
L[X] be irreducible. Then R{X) = Nl/f{i^{X)) is equal to an irreducible 
polynomial over F raised to the power [L : Lq], where Lq ^ L is the 
subfield generated by the coefficients of r{X) over F . 

Proof Since Nl/f = Nl,/f o Nl,l, and Nl/lM>^)) = r{Xt'-'''\ it is 
enough to prove the claim in the case Lq = L. 

Let -R(A) = -Ri(A) ■ • -Rti^X) be an irreducible factorization of -R(A) 
over F. Obviously r(A) divides -R(A) in -L[A], and since r(A) is irre- 
ducible we have that r(A) divides one of the factors, say r(A) divides 
Ri{X). 

Let Li be the splitting field of -Ri(A) over F. Note that L C Li, 
since the coefficients of r(A) (which divides Ri{X)) generate L. Let L2 
be the splitting field of r(A) over L, then L2 C Li and degi?(A) = 
[L : F]- degr(A) = [L2 : F] divides [Li : F] = degi?i(A). Thus 
-R(A) = -Ri(A) and is irreducible. □ 

Let 

fiX)-ag{X) = u,{Xr---Ut{Xr 
be a factorization into irreducible polynomials over L. 

Taking the norm from L[X] to F[X], we get the factorization 

Q{X) = U^{Xr^■■■U,{Xr 

over F, where Ui{X) = NL/F{ui{X)). By Lemma 11731 The polynomials 
Ui{X) are irreducible (the coefficient of A'^*^^^'^'^^ in f(X)—ag{X) generates 
L). It thus remains to show that the Ui{X) are relatively prime. We 
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will show that Ui is prime to <j{uj) for any a G Gal{L/F) and j ^ i. 
Indeed, if a = 1 then Ui is prime to Uj by the assumption. Otherwise, 
Ui divides f — ag and criuj) divides f — a{a)g, but f — ag and f — a{a)g 
are distinct and irreducible, thus relatively prime. □ 

Corollary 4.4. Assume that Q{\) = pg(A)(5'(A), /(A)) is a candidate, 
and let L be the splitting field of q{X). Let a he a root ofq{X) in L. Then 
Q{X) is irreducible over F if, and only if, /(A) — ag{X) is irreducible 
over L. 

According to Chapter 4], checking irreducibility of a degree d 
polynomial amounts to performing gauss elimination of a matrix of 
size d X d. In a finite field F this requires roughly d^ operations of 
multiphcation and addition. Assume that Q{X) = pg(A)((7(A), /(A)) is 
a candidate, and set n = max{deg /(A), deg5'(A)}. Checking the re- 
ducibility of Q{X) directly over F requires roughly deg(5(A)^ = m^n^ 
operations. Checking its reducibility via Corollarv 14 . 41 req uires roughly 
operations, but here multiplication is more expensive: each mul- 
tiplication in L requires roughly multiplications in F. Thus, the 
algorithm implied by Corollary 14.41 is roughly m times faster, where 
m = degg(A). See also Remark [6.31 

5. Primitivity 

Assume that Q(A) = pq(^x){.g{X), f{X)) is a candidate, L is the split- 
ting field of g(A), and a is a root of q{X) in L. By Corollarv 14. 4( Q{X) 
is irreducible over F if, and only if, /(A) — ag{X) is irreducible over 
L. The analogue result for primitivity follows: Q{X) is primitive if, 
and only if, it is irreducible and its roots generate K*, where K is 
the splitting field of Q{X). Now, observe that K is also the splitting 
field of /(A) — ag{X), and that Q{X) and /(A) — ag{X) share the same 
roots in K. This result, however, does not yield an improvement of the 
algorithm stated in the previous section. 

In this section we show that if /(O) =0 and the base field is F = F2 
(these assumptions hold in the intended environment for the TSR), 
then a candidate Q{X) = pq^x){g{X), /(A)) is primitive only if q is prim- 
itive. Thus, the TSR-generation algorithm should begin with primitive 
transformations T, yielding an additional speedup factor (f){\L*\)/\L*\, 
which is roughly 2 when degg(A) is a power of 2, cf. [S]. 

It will be convenient to use the following definition. 

Definition 5.1. Let L be a finite field. The index of a nonzero element 
a G L is the index \L*\/\ {a) \ of the cyclic group generated by a as a 
subgroup of L*. 
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An irreducible polynomial is primitive if, and only if, its roots have 
index 1 in its splitting field. Note further that for d dividing |L*|, a G L 
has index d if, and only if, a = g'^ for some generator g of the cyclic 
group L*. 

Lemma 5.2. Let h{X) G L[X] be an irreducible monic polynomial of 
degree n over L, with splitting field K and a root fi. Then ^1^*1/1-^*1 = 

(-imo). 

Proof. Let /io, . . . , /in-i denote the (distinct) roots of h{\). Then h{X) = 
(A— /io) • • ■ (A— /in-i) is the factorization over K, thus h{0) = (— l)"'/xo ■ ■ ■ /^n-i- 
On the other hand, the Galois group of K/ L is generated by the Frobe- 
nius automorphism u i-^ m''^', thus the roots of h{\) are fi, . . . , jj}^^" , 

ILI" — 1 

and /io ■ ■ ■ /in-i = = □ 

Theorem 5.3. Assume that F = ¥2 and Q{\) = pq(A)(5'(A), /(A)) is 
an irreducible candidate with /(O) = 0. If q{X) is not primitive then 
Q{X) is not primitive. 

Proof. Let K be the splitting field of Q{X) over F, and L ^ K the 
splitting field of q{X). Let fx ^ K he a root of (5(A), and a G L a root 
ofg(A). 

Let d^ denote the index of /x in K, and da the index of a in L. We 
will show that d^ = {\L*\,dfj). Thus, d^ = 1 implies do = 1. 

By Corollarv 14.41 h{\) = /(A) — ag{\) is irreducible over L. Since 
every polynomial is monic over F2, we can apply Lemma to get that 
h{0) = /il^*l/l^*l. But h{0) = /(O) - (-l)"a^(0) = a^(0). As /(A) and 
g{X) are relatively prime, g{0) 7^ 0, thus 5^(0) = 1, and h{0) = a. 

Let g he a generator of K* such that fi = g'^'^. 

Then a = ^\^*\/\^*\ = gd-t^\^'\/\^'\ ^ and its order in K* is 

\K*\/{\K%d^\K*\/\L*\) = \L*\/{\L%d,), 
as asserted. □ 

6. The final generation algorithm 

In light of the results obtained in the previous sections, we end up 
with the following algorithm for TSR-generation over F = ¥2- 

Algorithm 6.1 (Primitive TSR generation). 

(1) Choose at random a primitive transformation T on F2™. 

(2) Choose a random sequence S = (oq, . . . , a„_i) G F2"' such that 
ao 7^ 0. 

(3) Choose a root a of /t(A) in its splitting field L. 
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(4) Check that A"" — Oifs{^) is irreducible over L (otherwise return 
to step 1). 

(5) Check that Q{\) = pfr^(x){fsW, is primitive: Choose a root 
fi of Q{\) in its splitting field K , and check for all prime p 
dividing \K*\ that jj^^'^/p ^ 1 (in fact, as we show below, it is 
not needed to consider the cases where p divides \L*\). 

(6) If Q{X) is not primitive, return to step 1. 

Remark 6.2. Assuming that generally, the probability that Q{\) ~ 
fi/j,(A)(/5(A), A") is primitive is roughly the same for every primitive 
transformation T, it would be more efficient to repeat steps 2 to 5 of 
the algorithm several times before starting again from step 1. Thus, 
the complexity of step 1 will be negligible with respect to the total 
running time. Moreover, we argue below that step 5 usually occurs 
only once. 

Remark 6.3. In all of the mentioned algorithms, one can get a speedup 
factor of rfi, where m is the size of the word in the processor where 
the search for the TSR is made (note that this need not be the same 
processor on which the TSR will be implemented, thus rh need not be 
equal to m). This is done by exploiting the processors word-oriented 
operations to define parallel versions of the basic operations used in 
the algorithms. 

For a natural number n, we denote by Cn the (multiplicative) cyclic 
group of order n. If g is a generator of C„, then g'^ is a generator as well 
if, and only if, {x,n) = 1. This is why the number of generators of C„ 
is exactly 4>{n), where 4> is Euler's function, and the probability that a 
uniformly chosen element generates C„ is (j){n)/n. An irreducible poly- 
nomial (5(A) is primitive if a root jJL of Q{\) generates the multiplicative 
group of its splitting field K. There is a natural 1 to [i^ : F] corre- 
spondence between irreducible monic polynomials of degree [K : F] 
and elements of K which do not belong to a proper subfield of K. This 
correspondence implies that the probability that an irreducible Q{\) is 
primitive is close to (1){\K*\) /\K*\. 

We now consider irreducible candidates. We wish to estimate the 
probability that a candidate passing the test in step 4 of the algo- 
rithm will also past the final test of step 5. A candidate Q{\) — 
p/y(A)(/s'(A), A"') is good if T is primitive and Q{\) is irreducible. We 
will find, heuristically, the probability that a good candidate is primi- 
tive. Let L be the splitting field of fri^), and K be the splitting field 
of (3(A). Factor \K*\ = kL ■ a, where /cl is the product of all the prime 
factors of jX*! which divide \L*\ (allowing powers of primes). Then the 
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group K* is isomorphic to Ck^ x Ca, where a prime p divides \L*\ if, 
and only if, it divides k^. A root fi of Q{X) generates K* if, and only 
if, its projections in C^^ and Ca are both generators. 

In the proof of Theorem 15.31 we showed that , the co-order of a 
root a of /t(A) in L, is equal to d^), where is the co-order of 
/i in K. As T is primitive (i.e. da = 1), we have that d^ is prime to 
\L*\. Thus, dfj, is prime to ki, that is, ki divides the order of /i in K*. 
Therefore, the projection of /x in C^^ is a generator of that group. We 
assume, herusitically, that the projection of /i on Ca is (close to being) 
uniformly distributed. Thus, the probability of its being a generator of 
Ca is close to (j){a)/a. In general, 

p\n ^ 

and as a prime p divides a if, and only if, p divides \K*\ but not \L*\, 
we have that 

0(a) _ 0(|ir*|)/|iri 
0(|L*|)/|L*| • 

We thus have a heuristic justification for the following claim. 

Claim 6.4. Assume that Q{X) = pjj,(A)(/s'(A), A") is an irreducible 
candidate over ¥2, where /t(A) is primitive. Then the probability that 
Q{X) is primitive is close to 

^i\K*\)/\K*\ 

m*\)/\L*\ ■ 

Example 6.5. The probability at Claim is usually close to 1. We 
give here a few examples: 

(1) When the word's size is 8 bits and the number of words is 7, we 
havethat 0(2^6-1)/ (2^6-1) ^ 0A65, (f){2^-l)/ (2^-1) ^ 0.502, 
and the division yields probability close to 0.927. 

(2) When the word's size is 16 bits and the number of words is 4, 
we get probability close to 0.998. 

(3) For values 24 and 3, respectively, we get 0.898. 

(4) For values 32 and 2 we get 0.998. 

7. Concluding remarks 

We have presented the family of linear transformation shift registers 
which is efficient in software implementations. The theory we developed 
enabled us to get an efficient algorithm for generation of primitive 
transformations of this type (i.e., which have maximal period), thus 
answering a challenge raised in |H]. 
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Variants of our construction can be found more appropriate for cer- 
tain applications. Arguments similar to the ones we have presented here 
may be found useful in the study of these variants as well. A notewor- 
thy variant of the LFSR type that we have studied is the internal-xor, 
or Galois, shift register (See, e.g., [H]). The number of new bits gener- 
ated in one step of an internal-xor shift register is equal on average to 
half of the number of taps in that LFSR. Our construction suggests an 
obvious analogue internal-xor TSR. We get exactly the same results for 
this case, since the characteristic polynomial of an internal-xor TSR is 
equal to that of the corresponding external-xor TSR, which we have 
studied in this paper. 
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